The SePrivilegeCheck routine determines whether a specified set of privileges is enabled in the subject's access token.
BOOLEAN SePrivilegeCheck( PPRIVILEGE_SET RequiredPrivileges, PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, KPROCESSOR_MODE AccessMode );
Pointer to a PRIVILEGE_SET structure. The Privilege member of this structure is an array of LUID_AND_ATTRIBUTES structures. Before calling SePrivilegeCheck, use the Privilege array to indicate the set of privileges to check. Set the Control member to PRIVILEGE_SET_ALL_NECESSARY if all of the privileges must be enabled; or set it to zero if it is sufficient that any one of the privileges be enabled.
When SePrivilegeCheck returns, the Attributes member of each LUID_AND_ATTRIBUTES structure is set to SE_PRIVILEGE_USED_FOR_ACCESS if the corresponding privilege is enabled.
Pointer to the subject's captured security context.
The access mode to use for the privilege check. Either UserMode or KernelMode. If AccessMode is set to KernelMode, then all privileges are marked as being possessed by the subject, and SePrivilegeCheck returns TRUE.
SePrivilegeCheck returns TRUE if all specified privileges are held by the subject, FALSE otherwise.
An access token contains a list of the privileges held by the account associated with the token. These privileges can be enabled or disabled; most are disabled by default. SePrivilegeCheck checks only for enabled privileges. To get a list of all the enabled and disabled privileges held by an access token, call SeQueryInformationToken.
For more information about security and access control, see the documentation on these topics in the Microsoft Windows SDK.
|Header||ntifs.h (include Ntifs.h)|
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.